ARTICLE
15 April 2026

“Sweet Home, Data Privacy” – Alabama’s New Privacy Law Is Coming Online In 2027

TS
Taft Stettinius & Hollister

Contributor

Taft Stettinius & Hollister logo
Established in 1885, Taft is a nationally recognized law firm serving individuals and businesses worldwide, in both mature and emerging industries.
Explore Firm Details
Alabama has enacted a comprehensive consumer privacy law that will take effect in May 2027, establishing new requirements for businesses that process personal data of state residents.
United States Alabama Oklahoma Privacy
Scot Ganow
Your Author LinkedIn Connections

We have another one! We wrote last week about Oklahoma’s new consumer protection law. Now, Alabama has passed its own comprehensive privacy law. The Alabama Personal Data Protection Act, House Bill 351, (the Law) will go into effect on May 1, 2027.

Here is a general summary of what to expect:

Regulated Entities

The Law applies individuals or businesses that either do business in Alabama or target products or services to Alabama residents and meet at least one of two thresholds.

  1. Control or process the personal data of more than 25,000 consumers, excluding data processed solely to complete a payment transaction.
  2. Derive more than 25% of gross revenue from the sale of personal data, regardless of how many consumers’ data is involved.

A “consumer” is an Alabama resident acting in an individual or household context; the Law does not cover individuals in a commercial or employment context. “Controllers” (those that determine purposes and means of processing) and “processors” (those that process on behalf of controllers) are both regulated, but most direct obligations fall on controllers.

Personal Data. The Law regulates “personal data” broadly defined as any information that is linked or reasonably linkable to an identified or identifiable individual. It does not cover de‑identified data or publicly available information, which are expressly excluded.

Sensitive Personal Data. Like many other states, the Alabama law calls our certain “sensitive” personal data which carries additional obligations to be met by the controller business.

Sensitive Data categories include, among others:

  • Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status.
  • Genetic or biometric data processed to uniquely identify an individual.
  • Precise geolocation data.
  • Personal data collected from a known child (under 13).

Controllers must obtain consent before processing Sensitive Data, and additional protections apply for minors’ data (including consent requirements for certain processing of data of consumers aged 13–15 for targeted advertising or sales).

Data-Specific Exemptions. 

The Law contains many broad and somewhat business-friendly exemptions, including certain data that is processed for a specific purpose or otherwise already regulated under another law.

  • Employment Related Data: Data about job applicants, employees, and contractors in an employment or Human Resources context.
  • Business contact information. Information arising out of a commercial or business‑to‑business relationship (e.g., contacts at a corporate customer).
  • HIPAA: Protected health information (PHI); other information managed under HIPAA.
  • GLBA: Consumer financial information regulated by the Gramm‑Leach‑Bliley Act.
  • FCRA: Consumer report information processed under the FCRA.
  • Driver Records: Records covered by the Driver’s Privacy Protection Act.
  • Education Records: Student records regulated by FERPA.
  • Others: Data processed under the Airline Deregulation Act, the Farm Credit Act, and certain other federal regimes.

Importantly, as well, is that the Law also excludes de‑identified data and publicly available information, such as information made lawfully available from government records or widely distributed media, provided certain conditions are met.

Entity-Specific Exemptions.

  • For-profit businesses (<500 employees), so long as they do not sell Personal Data.
  • Nonprofit entities (<100 employees), so long as they do not sell personal data.
  • Political subdivisions of the state (e.g., counties, municipalities).
  • Two year and four-year institutions of higher education and affiliates.
  • Financial institutions and their affiliates to the extent they are subject to GLBA.
  • HIPAA-covered entities and business associates with respect to PHI.
  • National securities associations that are registered under 15 U.S.C. § 78o-3.

Controller Obligations. If subject to the Law, a controller must do the following:

  • Provide notice to the consumer through required privacy notices.
  • Honor consumer (data subject rights), including:
    • Access
    • Corrections and Updates
    • Deletion
    • Data Portability
    • Opt-out of targeted advertising, sales, and certain profiling.
  • Perform data protection assessments.
  • Written agreements with processors.

Enforcement. There is no private right of action under the Law. Enforcement lies with the Alabama Attorney General, with a mandatory 45‑day cure period and no private right of action. Upon a finding that the controller has violated the Law and failed to correct the violation, a court may assess a civil penalty of not more than fifteen thousand dollars ($15,000) per violation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Scot Ganow
Scot Ganow
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More